I found this interesting statement about GKE:

In a default Kubernetes installation, Kubernetes secrets are stored in etcd in plaintext. In GKE, this is managed for you: GKE encrypts these secrets on disk, and monitors this data for insider access.

(Source: https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-encrypting-kubernetes-secrets-with-cloud-kms)

How does DigitalOcean store Kubernetes secrets? In plaintext or encrypted?

edited by MattIPv4

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

1 answer

Hi there!

DOKS does not have etcd secrets encrypted at rest. This is something the DOKS team is aware of and plans to discuss.


John Kwiatkoski
Senior Developer Support Engineer

  • Hello John,

    Privacy is key for us and we are very concerned about this topic.
    Do you have an expectation when DO will have a cloud KMS implementation ready for customers, please?


    Richard Gomes

    • I apologize as I misspoke before. I just got this update from engineering:

      “All data in etcd is encrypted at rest on the backend and always has been. Additionally encrypting secrets within etcd, and was released in these versions:

      Secrets get encrypted on upgrade to those versions for existing clusters.”

      I hope that answers your issues. Let me know if you have any further questions.


      John Kwiatkoski
      Senior Developer Support Engineer - Kubernetes

Submit an Answer